Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
8
Replies

Policy-Based PAT

Go to solution
jcw009
Level 1
Level 1

‎08-16-2006 08:40 AM - edited ‎03-09-2019 03:55 PM

Hi,

I'm setting up an ASA5520 and need to setup each subnet I'm running behind the firewall with a separate public ip address. I think I can do this with policy-based nat, but now that I look at the documentation, maybe not.

Here's what I want to try:

nat (inside) 10 access-list ITS-pat

access-list ITS-pat extended permit ip a.b.c.d 255.255.255.0 host z.y.x.w

nat (inside) 20 access-list HR-pat

access-list HR-pat extended permit ip a.b.c.e 255.255.255.0 host z.y.x.t

Does it look like this will work? I'm not sure how I would test it until I put it into place.

Thanks!

Jeff

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mmorris11
Level 4
Level 4

‎08-16-2006 08:43 AM

Jeff,

Yes this centainly can work but you will need to add a corresponding "global (outside) 10 x.x.x.x-x.x.x.x" and "global (outside) 20 x.x.x.x-x.x.x.x" sort of stament in order to get nat to actually occur.

HTH pls rate!

View solution in original post

0 Helpful
8 Replies 8

Go to solution
mmorris11
Level 4
Level 4

‎08-16-2006 08:43 AM

Jeff,

Yes this centainly can work but you will need to add a corresponding "global (outside) 10 x.x.x.x-x.x.x.x" and "global (outside) 20 x.x.x.x-x.x.x.x" sort of stament in order to get nat to actually occur.

HTH pls rate!

0 Helpful

Go to solution
jcw009
Level 1
Level 1
In response to mmorris11

‎08-16-2006 08:49 AM

Thanks Mike!

It would look something like this?

global (outside) 10 z.y.x.w

nat (inside) 10 access-list ITS-pat

access-list ITS-pat extended permit ip a.b.c.d 255.255.255.0 host z.y.x.w

global (outside) 20 z.y.x.t

nat (inside) 20 access-list HR-pat

access-list HR-pat extended permit ip a.b.c.e 255.255.255.0 host z.y.x.t

Also, this would pat the internal subnets a.b.c.d to z.y.x.w

and

a.b.c.e to z.y.x.t

Right?

Thanks again!

Jeff

0 Helpful

Go to solution
mmorris11
Level 4
Level 4
In response to jcw009

‎08-16-2006 08:53 AM

Yes! I have used such a config with success before. Good luck and please rate my post if you found it helpful!

-mike

0 Helpful

Go to solution
jcw009
Level 1
Level 1
In response to mmorris11

‎08-16-2006 09:00 AM

Thanks!

0 Helpful

Go to solution
jcw009
Level 1
Level 1
In response to mmorris11

‎08-16-2006 09:01 AM

Also, any ideas on how to test this? I'm not putting it in place for a while. I've always used nwtools.com to provide reversed ip lookup, don't know of anything windows based that would do the same.

0 Helpful

Go to solution
mmorris11
Level 4
Level 4
In response to jcw009

‎08-16-2006 09:28 AM

The most reliable way is to use an old pix or one that is designated for future use that you can mock your config up with.

0 Helpful

Go to solution
jcw009
Level 1
Level 1
In response to mmorris11

‎08-16-2006 10:22 AM

I'm doing that now. Do you have any suggestions for testing the nat on an internal network?

0 Helpful

Go to solution
jcw009
Level 1
Level 1

‎09-08-2006 05:41 AM

Correction to the above rules:

It should be:

access-list PAT1 permit ip a.b.c.d 255.255.255.0 any

nat (inside) 10 access-list PAT1

global (outside) 10 z.y.x.w

access-list PAT2 permit ip a.b.c.e 255.255.255.0 any

nat (inside) 20 access-list PAT2

global (outside) 20 z.y.x.t

Let me know if there should be any other corrections...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents